Practical industrial safety, risk assessment and shutdown systems for industry

1.1 Definition of safety instrumentation 1 1.2 What is this book about? 2 1.3 Why is this book necessary? 2 1.4 Contents of the book 3 1.5 Introduction to hazards and risks 3 1.5.1 Risk reduction 4 1.6 Fatal accident rate (FAR) 5 1.7 Overview of safety systems engineering (SSE) 7 1.7.1 Introduction 7 1.7.2 What do we mean by safety functions? 7 1.7.3 Functional safety 7 1.8 Why be systematic? 8 1.8.1 UKHSE publication 9 1.8.2 HSE summary 9 1.8.3 Conclusion: It pays to be systematic 10 1.8.4 Scope 1 of safety systems engineering 11 1.9 Introduction to standards: IEC 61508 and ISA S84 11 1.9.1 Driving forces for management of safety 11 1.9.2 Evolution of functional safety standards 12 1.9.3 Introducing standard IEC 61508 13 1.9.4 Key elements of IEC 61508 13 1.9.5 Features of IEC 61508 13 1.9.6 Introducing Standard ANSI/S 84.01 15 1.9.7 Introducing Draft Standard IEC 61511 15 1.10 Equipment under control 16 1.11 The safety life cycle model and its phases (SLC phases) 17 1.11.1 Basic SLC 17 1.11.2 ISA SLC 18 1.11.3 IEC SLC versions 18 1.12 Implications of IEC 61508 for control systems 20 1.12.1 Some implications of IEC 61508 for control systems 20 1.12.2 Potential problems using IEC 61508 21 vi Contents 1.13 Summary 21 1.14 Safety life cycle descriptions 21 1.14.1 Overview of the safety life cycle based on Table 1 of IEC 61508 part 1 24 1.15 Some websites for safety systems information 26 1.16 Bibliography and sources of information 27 1.16.1 Suggested books 28 1.16.2 Publications 28 1.16.3 Reports 29 1.17 Guidelines on sector standards 29 2 Hazards and risk reduction 33 2.1 Introduction 33 2.2 Consider hazards under some main subjects: 34 2.2.1 General physical 34 2.2.2 Mechanical plant 34 2.2.3 Materials 34 2.2.4 Electrical 34 2.2.5 Chemical and petroleum 34 2.2.6 Food processing 34 2.2.7 Bio-medical/pharmaceuticals 34 2.2.8 Nuclear power 35 2.2.9 Domestic 35 2.2.10 Industries where functional safety systems are common 35 2.3 Basic hazards of chemical process 35 2.3.1 Some causes of explosions, fire and toxic release 35 2.3.2 Logic diagram for an explosion 36 2.3.3 Fires: causes and preventative measures 37 2.3.4 Toxic material release 37 2.3.5 Failures of equipment 37 2.4 Introduction to hazard studies and the IEC model 38 2.4.1 Introduction to hazard studies 38 2.4.2 Alignment with the IEC phases 38 2.4.3 Box 1: Concept 39 2.4.4 Box 2: Scope definition 39 2.4.5 Box 3: Hazard and risk analysis 39 2.4.6 Conclusions 40 2.5 Process control versus safety control 40 2.5.1 Historical 40 2.5.2 Separation 41 2.5.3 Functional differences 42 Contents vii 2.5.4 Specials: integrated safety and control systems 43 2.6 Simple and complex shutdown sequences, examples 45 2.6.1 Simple shutdown sequence 45 2.6.2 Complex shutdown sequences 47 2.7 Protection layers 49 2.7.1 Prevention layers 51 2.7.2 Mitigation layers 52 2.7.3 Diversification 52 2.8 Risk reduction and classification 52 2.9 Risk reduction terms and equations 56 2.9.1 Introducing the average probability of failure on demand...PFDavg 57 2.10 The concept of safety integrity level (SIL) 58 2.10.1 When to use an SIS and how good must it be? 58 2.10.2 How can we determine the required SIL for a given problem? 60 2.10.3 Quantitative method for determining SIL 60 2.10.4 Example application 60 2.10.5 Summary 61 2.11 Practical exercise 61 2.11.1 Example of SIL determination by quantitative method 61 2.11.2 Comparative SILs table 63 3 Hazard studies 65 3.1 Introduction 65 3.2 Information as input to the SRS 65 3.2.1 Information from hazard studies must be used 66 3.2.2 The process hazard study life cycle 66 3.2.3 Alignment of process hazard studies with IEC safety life cycle 68 3.2.4 History 69 3.2.5 Guideline documents 69 3.3 Outline of methodologies for hazard studies 1, 2 and 3 69 3.3.1 Process hazard study 1 69 3.3.2 Outline of hazard study 1 70 3.3.3 Timing 70 3.3.4 Topics 70 3.3.5 Environmental impact 71 3.3.6 IEC: concept 71 3.4 Process hazard study 2 71 3.4.1 Outline 72 3.4.2 Hazard study 2 – systematic procedure 72 viii Contents 3.5 Risk analysis and risk reduction steps in the hazard study 73 3.5.1 Hazards of the EUC control system 74 3.5.2 Event sequences leading to a hazard 74 3.5.3 Hazardous event frequencies 74 3.5.4 Inherent safety solutions 74 3.5.5 Estimating the risk 75 3.5.6 Adding more protection 75 3.5.7 Typical protection layers or risk reduction categories 75 3.5.8 Key measures to reduce the risk 75 3.5.9 Process and operational safety measures 76 3.5.10 Alarm functions 76 3.5.11 Safety instrumented functions 77 3.6 Interfacing hazard studies to the safety life cycle 78 3.7 Evaluating SIS requirements 79 3.7.1 Tolerable risk frequency 80 3.7.2 Safe state of the process 80 3.7.3 Trip functional requirements 80 3.7.4 Action required to reach safe state 80 3.7.5 Process safety time 80 3.7.6 Tolerable rate of spurious trips 80 3.7.7 SIS preliminary estimate 81 3.7.8 Continuation to SRS 81 3.7.9 Hazard 2 report 81 3.8 Meeting IEC requirements 82 3.8.1 IEC requirements for hazard and risk analysis 82 3.9 Hazard study 3 82 3.9.1 Outline of methodology for HAZOP 83 3.9.2 Outline of HAZOP method 83 3.9.3 Concepts of change paths and elements 84 3.9.4 Generating deviations 85 3.9.5 Study procedure 87 3.9.6 Causes of deviations 88 3.9.7 Consequences of deviations 88 3.9.8 Adding protection layers 88 3.9.9 Recording of HAZOP results and safety functions 89 3.10 Conclusions 89 3.11 Fault trees as an aid to risk assessment and the development of protection schemes 89 3.11.1 Fault trees 89 3.12 Hazard study 2 guidelines 95 Contents ix 3.12.1 Introduction 95 3.12.2 Method 95 3.12.3 Review of hazard study 2 96 3.12.4 Hazard study 2 report contents 97 3.12.5 Diagrams and tables supporting hazard study 2 98 3.13 Hazard studies for computer systems 104 3.13.1 Examples of potential causes of failures 105 3.13.2 Guidelines 105 3.13.3 Outline of ‘Chazop’ 105 3.13.4 Hazard study 3 Chazop 106 3.14 Data capture checklist for the hazard study 106 4 Safety requirements specifications 108 4.1 Developing overall safety requirements 108 4.1.1 Components of the SRS 108 4.1.2 SRS input section 109 4.1.3 SRS functional requirements 109 4.1.4 SRS integrity requirements 109 4.2 Development of the SRS 110 4.2.1 General development procedure 110 4.2.2 The input requirements 112 4.2.3 Developing the functional requirements 112 4.2.4 Safety integrity requirements 115 4.2.5 Conclusions on the SRS development 116 4.3 Documenting the SRS 116 4.3.1 Checklist for SRS 116 4.3.2 Defining the functions 119 4.4 Determining the safety integrity 123 4.4.1 Diversity in SIL methods 123 4.4.2 Summary of methods for determination of SILs 123 4.4.3 Quantitative method 124 4.4.4 Design example 124 4.4.5 Summary of quantitative method 127 4.4.6 Risk graph methods 128 4.4.7 Defining parameters and extending the risk graph scope 129 4.4.8 Risk graph guidance from IEC 61511 130 4.4.9 Calibration of the risk graph 132 4.4.10 Software tools using risk graphs 132 4.4.11 The safety layer matrix method for SIL determination 132 4.4.12 The LOPA method for SIL determination 133 x Contents 4.5 Summary of this chapter 134 5 Technology choices and the conceptual design stage 135 5.1 Introduction 135 5.1.1 What does the conceptual design stage mean? 135 5.2 What the standards say? 136 5.2.1 ISA conceptual design stage 136 5.2.2 IEC 615108 on conceptual design 138 5.2.3 Skills and resources 138 5.2.4 Conceptual design stage summary 138 5.3 Technologies for the logic solver 139 5.3.1 Basic SIS configuration 139 5.3.2 Shared functions 140 5.3.3 Technology choices 141 5.3.4 Pneumatics 141 5.3.5 Relays 141 5.3.6 The safety relay 143 5.3.7 Solid-state systems 144 5.3.8 Programmable systems for the logic solver 149 5.4 Development of safety PLCs 150 5.4.1 Why not use general purpose PLCs for safety functions? 150 5.4.2 Upgrading of PLCs for safety applications 155 5.4.3 Characteristics of safety PLCs 155 5.4.4 Hardware characteristics of a safety PLC 156 5.4.5 Software characteristics of a safety PLC 156 5.4.6 Design of safety PLCs 157 5.4.7 Triple modular redundant or TMR systems 161 5.4.8 Safety PLC with 1oo3 architecture 162 5.4.9 Communication features of safety controllers 164 5.4.10 New developments in communications 166 5.5 Classification and certification 167 5.6 Summary 168 5.7 SIS architecture conventions 168 6 Basic reliability analysis applied to safety systems 171 6.1 Introduction 171 6.1.1 Design objectives 172 6.2 Design process 172 6.3 Failure modes 173 Contents xi 6.3.1 Overt failure mode 174 6.3.2 Covert failure mode 174 6.4 Reliability formulae 175 6.5 Analysis models and methods 178 6.5.1 Analysis method 179 6.5.2 Calculations for spurious trips 185 6.5.3 Conclusions on analysis models 187 6.6 Some design considerations 187 6.6.1 Proof testing basics 187 6.6.2 Reliability in a high demand mode 191 6.6.3 Comparison of protective systems 191 6.6.4 Markov models 192 6.6.5 Diagnostic coverage 194 6.6.6 Reliability calculation software tools 195 6.6.7 Summary 195 6.7 Summary of parameters used in the reliability analysis of the safety systems 196 6.8 Some sources of reliability data for instrumentation 197 6.9 Safety performance calculation packages and reliability databases 199 7 Safety in field instruments and devices 200 7.1 Introduction 200 7.2 Objectives 201 7.3 Field devices for safety 201 7.3.1 Key points about sensors and actuators 201 7.3.2 Sensors and actuators dominate reliability issues 202 7.4 Sensor types 202 7.4.1 Using transmitters with trip amplifiers 204 7.4.2 A list of potential causes of failures in sensors 206 7.4.3 Failure modes 207 7.4.4 Actuator types 207 7.5 Guidelines for the application of field devices 210 7.5.1 Design techniques to minimize failures 210 7.5.2 Design for fail-safe operation 210 7.5.3 Separation of sensors from BPCS 211 7.5.4 Sensor diagnostics 214 7.5.5 Valve diagnostics 215 7.5.6 Redundancy in sensors and actuators 216 7.5.7 Diversity 220 7.6 Design requirements for field devices 221 xii Contents 7.6.1 Proven in use 221 7.6.2 Instrument selection 222 7.6.3 Installation design features 223 7.7 Technology issues 224 7.7.1 Intelligent field devices: advantages and disadvantages 224 7.7.2 Application examples 224 7.7.3 Safety critical transmitters and positioners 226 7.8 Summary of field devices for safety 229 8 Engineering the safety system: hardware 230 8.1 Introduction 230 8.2 Project engineering 230 8.2.1 Project problems 230 8.2.2 IEC requirements 231 8.2.3 Functional safety assessment 231 8.2.4 Project engineering responsibilities 231 8.3 Activities in box 9 233 8.3.1 Developing SIL for each application 234 8.4 ISA clause 7: SIS detailed design 236 8.4.1 Clause 7.2 general requirements 236 8.4.2 ISA clause 7.3 logic solver 238 8.4.3 ISA clause 7.4 field devices 238 8.4.4 Clause 7.5 interfaces 239 8.4.5 Clause 7.6 power sources 240 8.4.6 Clause 7.7 system environment 240 8.4.7 Clause 7.8 application logic 241 8.4.8 Clause 7.9 maintenance or testing design requirements 241 8.5 Information flow and documents at the engineering stage 242 8.6 Conclusion 243 9 Engineering the application software 244 9.1 Introduction 244 9.1.1 The problem with software 244 9.1.2 End user position 246 9.1.3 Basics of the software life cycle 246 9.1.4 Clause 7: Software safety life cycle 248 9.1.5 Application software 248 9.1.6 IEC 61511 provides guidance for end users 248 9.1.7 Benefits of limited variability languages 249 9.1.8 Programming tools 251 Contents xiii 9.2 Application software activity steps 252 9.2.1 Application software activities 253 9.2.2 Software quality management system 253 9.2.3 Certification of operating systems 253 9.2.4 Summary of software engineering 254 10 Overall planning: IEC phases 6, 7 and 8 255 10.1 Introduction 255 10.1.1 Benefits of planning at the design stage 256 10.2 Maintenance and operations planning 256 10.2.1 What should we cover in maintenance and operation planning? 256 10.2.2 IEC 61508 phase 6: overall operation and maintenance planning 256 10.3 Validation planning 260 10.3.1 What should we cover in validation planning? 260 10.3.2 IEC box 7: overall validation planning 260 10.4 Installation and commissioning planning 261 10.4.1 What should we cover in installation and commissioning planning? 261 10.5 IEC phase 8: installation and commissioning planning 261 10.6 Summary 263 11 Installation and commissioning (IEC phase 12) 264 11.1 Introduction 264 11.1.1 Flow chart of activities 264 11.1.2 Procedures 264 11.1.3 Standards 264 11.2 Factory acceptance tests 265 11.2.1 Scope and benefits of FATs 265 11.2.2 Test methods for the FAT 266 11.2.3 Simulation issues 267 11.2.4 FAT supports functional test specs 269 11.2.5 Test facilities in development systems 269 11.3 Installation 269 11.3.1 Management of the installation phase 269 11.3.2 Installation checks 271 11.3.3 Installation complete 273 11.3.4 Pre-start-up acceptance tests (PSAT) 274 11.3.5 Documentation for the PSAT 274 11.3.6 Validation 275 11.3.7 Training of technicians and operators 275 11.3.8 Handover to operations 276 11.3.9 Start up 276 11.4 Summary 277 xiv Contents 11.5 Documentation required for the pre-start up acceptance test 277 12 Validation, operations and management of change (IEC phases 13, 14 and 15) 279 12.1 Introduction 279 12.2 Verification, validation and functional safety assessment 279 12.2.1 Verification 279 12.2.2 Validation 282 12.2.3 Functional safety assessment 282 12.3 Operations, maintenance and repair 284 12.3.1 Operator’s viewpoint 284 12.3.2 ISA requirements for operating procedures 286 12.3.3 Maintenance program 286 12.4 Functional testing 288 12.4.1 Why test? 288 12.4.2 Testing guidelines 289 12.4.3 Practical functional testing 290 12.5 Management of change 293 12.5.1 When is MOC required? 294 12.5.2 When is MOC not required? 294 12.5.3 IEC modifications’ procedure model 294 12.5.4 Impact analysis 294 12.5.5 Software changes 295 12.5.6 MOC summary 295 12.6 Summary 295 13 Justification for a safety instrumented system 296 13.1 Introduction 296 13.1.1 Justification issues 297 13.2 Impact of safety system failures 297 13.2.1 Mode 1: dangerous undetected failures of the SIS 297 13.2.2 Mode 2: dangerous detected failures of the SIS 298 13.2.3 Mode 3: degraded mode of a redundant SIS 298 13.2.4 Mode 4: nuisance trip failures of the SIS 299 13.3 Justification 299 13.3.1 Responsibilities 299 13.3.2 Life cycle cost method 299 13.3.3 Costing example 301 13.3.4 PFD comparisons 303 13.3.5 Nuisance trip comparisons 303 13.3.6 Cost comparisons 303 13.3.7 Conclusion 305